CIO Insights and Analysis from DeloitteCONTENT FROM OUR SPONSORPlease note: The Wall Street Journal News Department was not involved in the creation of the content below.

Text Size

Regular

Medium

Large

Google+

Print

Cyber Espionage: The Harsh Reality of Advanced Security Threats

Many organizations are unprepared to protect themselves against the latest generation of automated cyber attacks. Is yours?

Legend has it that ostriches bury their heads in sand to avoid danger—the belief is that if I cannot see peril, it cannot see me. For decades, some businesses have been operating as though they were ostriches with respect to cyber threats, burying their heads in a protective sand of compliance requirements and safe practice regulations. But it is time to stop hiding and start confronting the harsh reality of advanced cyber threats. Organizations can begin to do this by adopting a more appropriate and proactive security posture that includes business-enabling capabilities. CIOs should help their business colleagues understand this harsh reality as well as play a key role in designing and implementing a proactive response.

In this article, the first in a three-part series, we explore the nature of advanced cyber security threats. The second part sets out a proactive approach for addressing those threats, and the third article provides an overview of the cyber risks stemming from employee behaviors.

The Automated Attack

Today, covert activities are occurring below the radar on practically every continent, as cyber adversaries attempt to embed themselves within organizations and government institutions by using stealth techniques and exploits. First generation security practices are no longer sufficient to protect rich targets such as research and development, business strategy, intellectual property, and other business-sensitive information that, if compromised, could damage the company, its place in the industry, and its relationship with consumers or investors. Advanced Persistent Threats (APTs) are the cause and the silent perpetrator of these attacks.

APTs are modern, automated versions of traditional espionage, which was originally more reliant on humans operating in the physical world. Operatives leverage and obfuscate cyber techniques, modeled after those in the physical world, in order to steal information and proprietary data in the cyber realm. Adversaries often use a methodical approach to research, plan, and execute their attack sequence. Unlike traditional malware, APTs are rarely detected and do not trigger any alerts that would indicate that an incident is occurring within the enterprise. They are challenging to detect and combat because they can covertly embed themselves into your environment, which enables them to reemerge undetected to steal additional data.

Opportunistic in nature, APTs are able to act on known or unknown vulnerabilities (some of which are available for purchase on the black market). APTs search for the path of least resistance until they can get a foothold in which to insert and conceal themselves within an organization’s IT infrastructure.

Many organizations currently are not organized, equipped, staffed, or positioned to look specifically for APTs. Information security practices and operations are often deployed in a siloed environment, and as a result, information in separate divisions usually does not get aggregated, correlated, and analyzed. What’s more, APTs often are undetected even where anti-virus software is present, and malware may not deploy until it bypasses antivirus software. To make matters worse, information gathered from APTs yields insight into traditional corporate protective measures and thwarts standard commercial security, literally putting everything at risk from intellectual property to actual strategic business processes.

APTs use various techniques to mask their activities. In fact, APTs rarely employ any tactics that hurt the current security infrastructure because they have an ulterior motive that benefits from hiding—that is, to set up undetected occupancy, allowing criminals a right of entry for conducting surveillance and gathering data. Injury comes later, after the information is used. In many cases, cyber criminals gain access to the desired information via valid credentials.

Exploiting Human Vulnerabilities

Often, sophisticated technology isn’t required to infiltrate an organization. Cyber attackers can exploit human vulnerabilities as well. Social networking, for example, provides a low-risk environment for cyber criminals or nation-states to collect strategic information about a company, a hierarchy of employees, and organizational practices. Popular networking sites create a comfort zone for users. When posting on their own social media pages, responding to instant messages, opening tempting e-mails, and giving access to “friends,” most people behave without a strong sense of suspicion. Instead, they operate under a false sense of security and freedom, offering criminals easy access to continuous and vast amounts of personal data and a plethora of opportunities for direct (albeit disguised) contact.

Criminal entities combine social media intelligence-harvesting techniques with sending e-mails (essentially a Pandora’s box) to any number of employees about a relevant topic. This process, called “spear phishing,” allows for the low-key distribution of malware once the recipient opens the e-mail. Realistically, anyone anywhere can essentially build out an entire database of profiles of employees who work for the targeted company. The profile can include items such as job title, cell phone, personal Web page, and social-networking memberships.

Moving Toward a Proactive Response

Enterprises competing in the worldwide marketplace with innovative components or solutions faced the greatest risks if they experience impediments to conducting business, and thus have the greatest need to protect intellectual property. Intangible threats exist as well, including damage to the brand due to public awareness of a security breach, loss of competitive edge, and loss of confidence. So, what is to done? Next in this series, we will set out our recommendations for a proactive response to the harsh reality of cyber threats. In the third and final article, we’ll look at addressing employees’ human vulnerabilities.

Related Deloitte Insights

All too often, organizations view cybersecurity as an effort conducted entirely within company walls. For those with business partners, true security often depends on a collaborative plan for incident response.

A front-row seat at the nexus of security, information, and the economy prepares CIOs to educate others on cybersecurity, says retired Navy Adm. James Stavridis, dean of The Fletcher School of Law and Diplomacy at Tufts University and former supreme allied commander of the NATO Alliance. CIOs’ unique vantage point can help them safely navigate the metaphorical cyber seas.

Amid ongoing concerns over data privacy, ownership, and governance, technology leaders are playing a critical role in making data broadly available throughout the enterprise, while also ensuring compliance with an array of differing data regulations around the globe.

Editors Choice

CIOs with a bold vision can transform IT operations with emerging technologies and demonstrate to other leaders how to do the same across the enterprise, says Bill Briggs, CTO of Deloitte Consulting LLP. By providing business context that can help their peers understand and evaluate technology’s potential, CIOs can help drive enterprisewide business transformation.

Incoming CIOs may face a raft of decisions about technology projects, business initiatives, and hiring or promoting talent, but the first 100 days of a new CIO’s tenure are a time for learning about and evaluating the business, IT function, talent, and culture. Long- and short-term strategic IT plans built on this solid foundation of knowledge can help new CIOs succeed, according to a recent analysis of data from Deloitte’s CIO Transition Lab.

CIOs transitioning into new IT leadership roles often encounter different opportunities and challenges depending on whether they are internal hires from within the IT team or outside the IT function, external hires, or are leading a team through an M&A or divestiture.

About Deloitte Insights

Deloitte Insights for CIOs couples broad business insights with deep technical knowledge to help executives drive business and technology strategy, support business transformation, and enhance growth and productivity. Through fact-based research, technology perspectives and analyses, case studies and more, Deloitte Insights for CIOs informs the essential conversations in global, technology-led organizations. Learn more